A recent study by FireEye reveals that the cyber-attacks relying on malicious office docs have increasingly leveraged an innovative technique called VBA Purging. It also found the availability of a related open-source solution.
The cyber attackers involve VBA source code in the official documents rather than compiled code – to ensure improved detection evasion. The malicious documents have VBA code stored within streams of Compound File Binary Format (CFBF) files. It involves Microsoft’s terms on VBA macros storing the VBA data in a hierarchy comprising of various streams.
According to FireEye, “Searching with this logic on VirusTotal reveals a large number of malicious documents, meaning this is very prevalent in the wild and in use by attackers.”